CVE-2023-1166: 
WordPress vulnerability analysis and mitigation

The USM-Premium WordPress plugin versions prior to 16.3 contain a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2023-1166. The vulnerability was discovered by Mohamed Selim and publicly disclosed on June 5, 2023. This security issue affects the plugin's settings functionality, specifically impacting WordPress installations, including multisite setups (WPScan).

The vulnerability stems from improper sanitization and escaping of certain plugin settings. The issue has been assigned a CVSS score of 3.5 (low severity) and is classified under CWE-79. The vulnerability specifically manifests in the text field settings of the subscription form feature, where unsanitized input can be stored and later executed (WPScan).

When exploited, this vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks, even in environments where the unfiltered_html capability is disabled. This is particularly concerning in multisite WordPress setups where such restrictions are commonly implemented (WPScan).

The vulnerability has been fixed in version 16.3 of the USM-Premium plugin. Users are advised to update their installations to this version or later to mitigate the risk (WPScan).